snipe-auth-rbac 0.1.0

package/dist/chunk-BRCJUCDG.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/fetchers.ts"],"sourcesContent":["/**\n * Built-in fetchers — adopters can use these or pass their own\n * implementation of `AuthRbacFetcher`.\n */\n\nimport type { AuthRbacFetcher, UserProfile } from \"./types.js\";\n\n/**\n * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via\n * a Supabase JS client. Easiest path when the host project already\n * uses Supabase.\n *\n * @example\n * createSupabaseFetcher({ supabase, userId: session.user.id })\n */\nexport function createSupabaseFetcher(opts: {\n  supabase: {\n    rpc: (\n      fn: string,\n      args: Record<string, unknown>,\n    ) => Promise<{ data: unknown; error: { message: string } | null }>;\n  };\n  userId: string;\n}): AuthRbacFetcher {\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const { data, error } = await opts.supabase.rpc(\n        \"auth_rbac_user_profile\",\n        { p_user_id: opts.userId },\n      );\n      if (error) {\n        throw new Error(\n          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`,\n        );\n      }\n      return normalizeProfile(data);\n    },\n  };\n}\n\n/**\n * Calls a regular HTTP endpoint that returns a `UserProfile` JSON\n * payload. Use this when the host project has its own backend that\n * wraps the package's Python helpers (or any equivalent).\n *\n * @example\n * createHttpFetcher({ url: \"/api/users/me/profile\" })\n */\nexport function createHttpFetcher(opts: {\n  url: string;\n  /** Forwarded as-is to `fetch`. Use this to attach auth headers. */\n  init?: RequestInit;\n  /** Override the global `fetch` if you're in a non-browser env. */\n  fetch?: typeof fetch;\n}): AuthRbacFetcher {\n  const fetchImpl = opts.fetch ?? globalThis.fetch;\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const res = await fetchImpl(opts.url, opts.init);\n      if (!res.ok) {\n        throw new Error(\n          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`,\n        );\n      }\n      const json = (await res.json()) as unknown;\n      return normalizeProfile(json);\n    },\n  };\n}\n\n/**\n * Defensive normalisation: the Supabase RPC returns whatever the SQL\n * function emitted. We coerce missing fields into the empty defaults\n * so consumers can iterate without null checks. Throws if the shape\n * is unrecognisable.\n */\nfunction normalizeProfile(raw: unknown): UserProfile {\n  if (!raw || typeof raw !== \"object\") {\n    throw new Error(\"auth-rbac: profile payload is not an object\");\n  }\n  const p = raw as Partial<UserProfile> & Record<string, unknown>;\n  if (typeof p.user_id !== \"string\") {\n    throw new Error(\"auth-rbac: profile payload missing user_id\");\n  }\n  return {\n    user_id: p.user_id,\n    is_super_admin: !!p.is_super_admin,\n    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],\n    system_permissions:\n      p.system_permissions && typeof p.system_permissions === \"object\"\n        ? (p.system_permissions as UserProfile[\"system_permissions\"])\n        : {},\n    system_frontend_config:\n      p.system_frontend_config && typeof p.system_frontend_config === \"object\"\n        ? (p.system_frontend_config as UserProfile[\"system_frontend_config\"])\n        : {},\n    memberships: Array.isArray(p.memberships)\n      ? (p.memberships as UserProfile[\"memberships\"])\n      : [],\n  };\n}\n"],"mappings":";AAeO,SAAS,sBAAsB,MAQlB;AAClB,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAAS;AAAA,QAC1C;AAAA,QACA,EAAE,WAAW,KAAK,OAAO;AAAA,MAC3B;AACA,UAAI,OAAO;AACT,cAAM,IAAI;AAAA,UACR,4DAA4D,MAAM,OAAO;AAAA,QAC3E;AAAA,MACF;AACA,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAUO,SAAS,kBAAkB,MAMd;AAClB,QAAM,YAAY,KAAK,SAAS,WAAW;AAC3C,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,MAAM,MAAM,UAAU,KAAK,KAAK,KAAK,IAAI;AAC/C,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI;AAAA,UACR,+BAA+B,KAAK,GAAG,aAAa,IAAI,MAAM;AAAA,QAChE;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAQA,SAAS,iBAAiB,KAA2B;AACnD,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,SAAO;AAAA,IACL,SAAS,EAAE;AAAA,IACX,gBAAgB,CAAC,CAAC,EAAE;AAAA,IACpB,cAAc,MAAM,QAAQ,EAAE,YAAY,IAAI,EAAE,eAAe,CAAC;AAAA,IAChE,oBACE,EAAE,sBAAsB,OAAO,EAAE,uBAAuB,WACnD,EAAE,qBACH,CAAC;AAAA,IACP,wBACE,EAAE,0BAA0B,OAAO,EAAE,2BAA2B,WAC3D,EAAE,yBACH,CAAC;AAAA,IACP,aAAa,MAAM,QAAQ,EAAE,WAAW,IACnC,EAAE,cACH,CAAC;AAAA,EACP;AACF;","names":[]}

package/dist/index.cjs

@@ -0,0 +1,148 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  buildPermissionResolver: () => buildPermissionResolver,
+  createHttpFetcher: () => createHttpFetcher,
+  createSupabaseFetcher: () => createSupabaseFetcher,
+  groupResources: () => groupResources
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/client.ts
+function buildPermissionResolver(resources, profile, defaultCompanyId) {
+  const scopeByResource = new Map(
+    resources.map((r) => [r.resource, r.scope])
+  );
+  const can = (resource, action, options) => {
+    if (profile.is_super_admin) {
+      return true;
+    }
+    const scope = scopeByResource.get(resource);
+    if (!scope) {
+      return false;
+    }
+    if (scope === "system") {
+      return readGrid(profile.system_permissions, resource, action);
+    }
+    const companyId = options?.companyId ?? defaultCompanyId;
+    if (!companyId) {
+      return false;
+    }
+    const membership = profile.memberships.find(
+      (m) => m.company_id === companyId
+    );
+    if (!membership) {
+      return false;
+    }
+    return readGrid(membership.permissions, resource, action);
+  };
+  return {
+    can,
+    /** Permission map for the active (or specified) company. */
+    activePermissions: (companyId) => {
+      const id = companyId ?? defaultCompanyId;
+      if (!id) {
+        return {};
+      }
+      return profile.memberships.find((m) => m.company_id === id)?.permissions ?? {};
+    },
+    systemPermissions: () => profile.system_permissions
+  };
+}
+function readGrid(map, resource, action) {
+  const grid = map[resource];
+  if (!grid) {
+    return false;
+  }
+  return grid[action];
+}
+function groupResources(registry) {
+  const order = [];
+  const buckets = /* @__PURE__ */ new Map();
+  for (const r of registry) {
+    const key = r.group ?? "Sonstige";
+    if (!buckets.has(key)) {
+      buckets.set(key, []);
+      order.push(key);
+    }
+    buckets.get(key).push(r);
+  }
+  return order.map((g) => ({ group: g, resources: buckets.get(g) }));
+}
+
+// src/fetchers.ts
+function createSupabaseFetcher(opts) {
+  return {
+    async fetchProfile() {
+      const { data, error } = await opts.supabase.rpc(
+        "auth_rbac_user_profile",
+        { p_user_id: opts.userId }
+      );
+      if (error) {
+        throw new Error(
+          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`
+        );
+      }
+      return normalizeProfile(data);
+    }
+  };
+}
+function createHttpFetcher(opts) {
+  const fetchImpl = opts.fetch ?? globalThis.fetch;
+  return {
+    async fetchProfile() {
+      const res = await fetchImpl(opts.url, opts.init);
+      if (!res.ok) {
+        throw new Error(
+          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`
+        );
+      }
+      const json = await res.json();
+      return normalizeProfile(json);
+    }
+  };
+}
+function normalizeProfile(raw) {
+  if (!raw || typeof raw !== "object") {
+    throw new Error("auth-rbac: profile payload is not an object");
+  }
+  const p = raw;
+  if (typeof p.user_id !== "string") {
+    throw new Error("auth-rbac: profile payload missing user_id");
+  }
+  return {
+    user_id: p.user_id,
+    is_super_admin: !!p.is_super_admin,
+    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],
+    system_permissions: p.system_permissions && typeof p.system_permissions === "object" ? p.system_permissions : {},
+    system_frontend_config: p.system_frontend_config && typeof p.system_frontend_config === "object" ? p.system_frontend_config : {},
+    memberships: Array.isArray(p.memberships) ? p.memberships : []
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  buildPermissionResolver,
+  createHttpFetcher,
+  createSupabaseFetcher,
+  groupResources
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/client.ts","../src/fetchers.ts"],"sourcesContent":["/**\n * Public entry — transport-agnostic. Use this in non-React code\n * (Node, scripts, edge workers). React hosts should import from\n * `snipe-auth-rbac/react`.\n */\n\nexport type {\n  Action,\n  AuthRbacFetcher,\n  CompanyMembership,\n  FrontendConfig,\n  PermissionGrid,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  RoleSummary,\n  UserProfile,\n} from \"./types.js\";\n\nexport {\n  buildPermissionResolver,\n  groupResources,\n  type AuthRbacClient,\n  type CanOptions,\n  type ClientOptions,\n} from \"./client.js\";\n\nexport {\n  createSupabaseFetcher,\n  createHttpFetcher,\n} from \"./fetchers.js\";\n","/**\n * Transport-agnostic client: turns an adopter-supplied\n * `AuthRbacFetcher` into a permission resolver. The React provider\n * wraps this; non-React consumers (Node scripts, edge functions)\n * can use it directly.\n */\n\nimport type {\n  Action,\n  AuthRbacFetcher,\n  PermissionMap,\n  ResourceDescriptor,\n  ResourceRegistry,\n  ResourceScope,\n  UserProfile,\n} from \"./types.js\";\n\nexport interface AuthRbacClientOptions {\n  fetcher: AuthRbacFetcher;\n  /**\n   * The host project's full resource list. Required so the resolver\n   * can look up a resource's scope without a DB round-trip per call.\n   * Re-using the same array the host syncs into the\n   * `auth_rbac_resources` table at boot keeps everything in lockstep.\n   */\n  resources: ResourceRegistry;\n}\n\nexport interface CanOptions {\n  /**\n   * Override the active company. Omit to use the company the\n   * caller has currently activated (the React provider tracks\n   * this; for direct client use you must pass it).\n   */\n  companyId?: string | null;\n}\n\n/**\n * Pure resolver. Given a hydrated profile it answers boolean\n * questions instantly — no I/O. The `resourceMap` is built once at\n * construction so per-call work is two map lookups.\n */\nexport function buildPermissionResolver(\n  resources: ResourceRegistry,\n  profile: UserProfile,\n  defaultCompanyId: string | null,\n) {\n  const scopeByResource = new Map<string, ResourceScope>(\n    resources.map((r) => [r.resource, r.scope]),\n  );\n\n  const can = (\n    resource: string,\n    action: Action,\n    options?: CanOptions,\n  ): boolean => {\n    if (profile.is_super_admin) {\n      return true;\n    }\n    const scope = scopeByResource.get(resource);\n    if (!scope) {\n      // Unknown resource — fail closed.\n      return false;\n    }\n    if (scope === \"system\") {\n      return readGrid(profile.system_permissions, resource, action);\n    }\n    const companyId = options?.companyId ?? defaultCompanyId;\n    if (!companyId) {\n      return false;\n    }\n    const membership = profile.memberships.find(\n      (m) => m.company_id === companyId,\n    );\n    if (!membership) {\n      return false;\n    }\n    return readGrid(membership.permissions, resource, action);\n  };\n\n  return {\n    can,\n    /** Permission map for the active (or specified) company. */\n    activePermissions: (companyId?: string | null): PermissionMap => {\n      const id = companyId ?? defaultCompanyId;\n      if (!id) {\n        return {};\n      }\n      return (\n        profile.memberships.find((m) => m.company_id === id)?.permissions ?? {}\n      );\n    },\n    systemPermissions: (): PermissionMap => profile.system_permissions,\n  };\n}\n\nfunction readGrid(\n  map: PermissionMap,\n  resource: string,\n  action: Action,\n): boolean {\n  const grid = map[resource];\n  if (!grid) {\n    return false;\n  }\n  return grid[action];\n}\n\n/**\n * Helper: groups a resource registry by `group` for the matrix UI.\n * Returns groups in insertion order with their resources.\n */\nexport function groupResources(\n  registry: ResourceRegistry,\n): Array<{ group: string; resources: ResourceDescriptor[] }> {\n  const order: string[] = [];\n  const buckets = new Map<string, ResourceDescriptor[]>();\n  for (const r of registry) {\n    const key = r.group ?? \"Sonstige\";\n    if (!buckets.has(key)) {\n      buckets.set(key, []);\n      order.push(key);\n    }\n    buckets.get(key)!.push(r);\n  }\n  return order.map((g) => ({ group: g, resources: buckets.get(g)! }));\n}\n\nexport type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;\nexport type { AuthRbacClientOptions as ClientOptions };\n","/**\n * Built-in fetchers — adopters can use these or pass their own\n * implementation of `AuthRbacFetcher`.\n */\n\nimport type { AuthRbacFetcher, UserProfile } from \"./types.js\";\n\n/**\n * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via\n * a Supabase JS client. Easiest path when the host project already\n * uses Supabase.\n *\n * @example\n * createSupabaseFetcher({ supabase, userId: session.user.id })\n */\nexport function createSupabaseFetcher(opts: {\n  supabase: {\n    rpc: (\n      fn: string,\n      args: Record<string, unknown>,\n    ) => Promise<{ data: unknown; error: { message: string } | null }>;\n  };\n  userId: string;\n}): AuthRbacFetcher {\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const { data, error } = await opts.supabase.rpc(\n        \"auth_rbac_user_profile\",\n        { p_user_id: opts.userId },\n      );\n      if (error) {\n        throw new Error(\n          `auth-rbac: failed to load user profile via Supabase RPC: ${error.message}`,\n        );\n      }\n      return normalizeProfile(data);\n    },\n  };\n}\n\n/**\n * Calls a regular HTTP endpoint that returns a `UserProfile` JSON\n * payload. Use this when the host project has its own backend that\n * wraps the package's Python helpers (or any equivalent).\n *\n * @example\n * createHttpFetcher({ url: \"/api/users/me/profile\" })\n */\nexport function createHttpFetcher(opts: {\n  url: string;\n  /** Forwarded as-is to `fetch`. Use this to attach auth headers. */\n  init?: RequestInit;\n  /** Override the global `fetch` if you're in a non-browser env. */\n  fetch?: typeof fetch;\n}): AuthRbacFetcher {\n  const fetchImpl = opts.fetch ?? globalThis.fetch;\n  return {\n    async fetchProfile(): Promise<UserProfile> {\n      const res = await fetchImpl(opts.url, opts.init);\n      if (!res.ok) {\n        throw new Error(\n          `auth-rbac: profile endpoint ${opts.url} returned ${res.status}`,\n        );\n      }\n      const json = (await res.json()) as unknown;\n      return normalizeProfile(json);\n    },\n  };\n}\n\n/**\n * Defensive normalisation: the Supabase RPC returns whatever the SQL\n * function emitted. We coerce missing fields into the empty defaults\n * so consumers can iterate without null checks. Throws if the shape\n * is unrecognisable.\n */\nfunction normalizeProfile(raw: unknown): UserProfile {\n  if (!raw || typeof raw !== \"object\") {\n    throw new Error(\"auth-rbac: profile payload is not an object\");\n  }\n  const p = raw as Partial<UserProfile> & Record<string, unknown>;\n  if (typeof p.user_id !== \"string\") {\n    throw new Error(\"auth-rbac: profile payload missing user_id\");\n  }\n  return {\n    user_id: p.user_id,\n    is_super_admin: !!p.is_super_admin,\n    system_roles: Array.isArray(p.system_roles) ? p.system_roles : [],\n    system_permissions:\n      p.system_permissions && typeof p.system_permissions === \"object\"\n        ? (p.system_permissions as UserProfile[\"system_permissions\"])\n        : {},\n    system_frontend_config:\n      p.system_frontend_config && typeof p.system_frontend_config === \"object\"\n        ? (p.system_frontend_config as UserProfile[\"system_frontend_config\"])\n        : {},\n    memberships: Array.isArray(p.memberships)\n      ? (p.memberships as UserProfile[\"memberships\"])\n      : [],\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;AC0CO,SAAS,wBACd,WACA,SACA,kBACA;AACA,QAAM,kBAAkB,IAAI;AAAA,IAC1B,UAAU,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,KAAK,CAAC;AAAA,EAC5C;AAEA,QAAM,MAAM,CACV,UACA,QACA,YACY;AACZ,QAAI,QAAQ,gBAAgB;AAC1B,aAAO;AAAA,IACT;AACA,UAAM,QAAQ,gBAAgB,IAAI,QAAQ;AAC1C,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AACA,QAAI,UAAU,UAAU;AACtB,aAAO,SAAS,QAAQ,oBAAoB,UAAU,MAAM;AAAA,IAC9D;AACA,UAAM,YAAY,SAAS,aAAa;AACxC,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,IACT;AACA,UAAM,aAAa,QAAQ,YAAY;AAAA,MACrC,CAAC,MAAM,EAAE,eAAe;AAAA,IAC1B;AACA,QAAI,CAAC,YAAY;AACf,aAAO;AAAA,IACT;AACA,WAAO,SAAS,WAAW,aAAa,UAAU,MAAM;AAAA,EAC1D;AAEA,SAAO;AAAA,IACL;AAAA;AAAA,IAEA,mBAAmB,CAAC,cAA6C;AAC/D,YAAM,KAAK,aAAa;AACxB,UAAI,CAAC,IAAI;AACP,eAAO,CAAC;AAAA,MACV;AACA,aACE,QAAQ,YAAY,KAAK,CAAC,MAAM,EAAE,eAAe,EAAE,GAAG,eAAe,CAAC;AAAA,IAE1E;AAAA,IACA,mBAAmB,MAAqB,QAAQ;AAAA,EAClD;AACF;AAEA,SAAS,SACP,KACA,UACA,QACS;AACT,QAAM,OAAO,IAAI,QAAQ;AACzB,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,EACT;AACA,SAAO,KAAK,MAAM;AACpB;AAMO,SAAS,eACd,UAC2D;AAC3D,QAAM,QAAkB,CAAC;AACzB,QAAM,UAAU,oBAAI,IAAkC;AACtD,aAAW,KAAK,UAAU;AACxB,UAAM,MAAM,EAAE,SAAS;AACvB,QAAI,CAAC,QAAQ,IAAI,GAAG,GAAG;AACrB,cAAQ,IAAI,KAAK,CAAC,CAAC;AACnB,YAAM,KAAK,GAAG;AAAA,IAChB;AACA,YAAQ,IAAI,GAAG,EAAG,KAAK,CAAC;AAAA,EAC1B;AACA,SAAO,MAAM,IAAI,CAAC,OAAO,EAAE,OAAO,GAAG,WAAW,QAAQ,IAAI,CAAC,EAAG,EAAE;AACpE;;;AC/GO,SAAS,sBAAsB,MAQlB;AAClB,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,EAAE,MAAM,MAAM,IAAI,MAAM,KAAK,SAAS;AAAA,QAC1C;AAAA,QACA,EAAE,WAAW,KAAK,OAAO;AAAA,MAC3B;AACA,UAAI,OAAO;AACT,cAAM,IAAI;AAAA,UACR,4DAA4D,MAAM,OAAO;AAAA,QAC3E;AAAA,MACF;AACA,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAUO,SAAS,kBAAkB,MAMd;AAClB,QAAM,YAAY,KAAK,SAAS,WAAW;AAC3C,SAAO;AAAA,IACL,MAAM,eAAqC;AACzC,YAAM,MAAM,MAAM,UAAU,KAAK,KAAK,KAAK,IAAI;AAC/C,UAAI,CAAC,IAAI,IAAI;AACX,cAAM,IAAI;AAAA,UACR,+BAA+B,KAAK,GAAG,aAAa,IAAI,MAAM;AAAA,QAChE;AAAA,MACF;AACA,YAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,aAAO,iBAAiB,IAAI;AAAA,IAC9B;AAAA,EACF;AACF;AAQA,SAAS,iBAAiB,KAA2B;AACnD,MAAI,CAAC,OAAO,OAAO,QAAQ,UAAU;AACnC,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACA,QAAM,IAAI;AACV,MAAI,OAAO,EAAE,YAAY,UAAU;AACjC,UAAM,IAAI,MAAM,4CAA4C;AAAA,EAC9D;AACA,SAAO;AAAA,IACL,SAAS,EAAE;AAAA,IACX,gBAAgB,CAAC,CAAC,EAAE;AAAA,IACpB,cAAc,MAAM,QAAQ,EAAE,YAAY,IAAI,EAAE,eAAe,CAAC;AAAA,IAChE,oBACE,EAAE,sBAAsB,OAAO,EAAE,uBAAuB,WACnD,EAAE,qBACH,CAAC;AAAA,IACP,wBACE,EAAE,0BAA0B,OAAO,EAAE,2BAA2B,WAC3D,EAAE,yBACH,CAAC;AAAA,IACP,aAAa,MAAM,QAAQ,EAAE,WAAW,IACnC,EAAE,cACH,CAAC;AAAA,EACP;AACF;","names":[]}

package/dist/index.d.cts

@@ -0,0 +1,90 @@
+import { c as ResourceRegistry, U as UserProfile, A as Action, d as PermissionMap, b as AuthRbacFetcher, a as ResourceDescriptor } from './types-BEc5SCIo.cjs';
+export { C as CompanyMembership, F as FrontendConfig, P as PermissionGrid, R as ResourceScope, e as RoleSummary } from './types-BEc5SCIo.cjs';
+
+/**
+ * Transport-agnostic client: turns an adopter-supplied
+ * `AuthRbacFetcher` into a permission resolver. The React provider
+ * wraps this; non-React consumers (Node scripts, edge functions)
+ * can use it directly.
+ */
+
+interface AuthRbacClientOptions {
+    fetcher: AuthRbacFetcher;
+    /**
+     * The host project's full resource list. Required so the resolver
+     * can look up a resource's scope without a DB round-trip per call.
+     * Re-using the same array the host syncs into the
+     * `auth_rbac_resources` table at boot keeps everything in lockstep.
+     */
+    resources: ResourceRegistry;
+}
+interface CanOptions {
+    /**
+     * Override the active company. Omit to use the company the
+     * caller has currently activated (the React provider tracks
+     * this; for direct client use you must pass it).
+     */
+    companyId?: string | null;
+}
+/**
+ * Pure resolver. Given a hydrated profile it answers boolean
+ * questions instantly — no I/O. The `resourceMap` is built once at
+ * construction so per-call work is two map lookups.
+ */
+declare function buildPermissionResolver(resources: ResourceRegistry, profile: UserProfile, defaultCompanyId: string | null): {
+    can: (resource: string, action: Action, options?: CanOptions) => boolean;
+    /** Permission map for the active (or specified) company. */
+    activePermissions: (companyId?: string | null) => PermissionMap;
+    systemPermissions: () => PermissionMap;
+};
+/**
+ * Helper: groups a resource registry by `group` for the matrix UI.
+ * Returns groups in insertion order with their resources.
+ */
+declare function groupResources(registry: ResourceRegistry): Array<{
+    group: string;
+    resources: ResourceDescriptor[];
+}>;
+type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;
+
+/**
+ * Built-in fetchers — adopters can use these or pass their own
+ * implementation of `AuthRbacFetcher`.
+ */
+
+/**
+ * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via
+ * a Supabase JS client. Easiest path when the host project already
+ * uses Supabase.
+ *
+ * @example
+ * createSupabaseFetcher({ supabase, userId: session.user.id })
+ */
+declare function createSupabaseFetcher(opts: {
+    supabase: {
+        rpc: (fn: string, args: Record<string, unknown>) => Promise<{
+            data: unknown;
+            error: {
+                message: string;
+            } | null;
+        }>;
+    };
+    userId: string;
+}): AuthRbacFetcher;
+/**
+ * Calls a regular HTTP endpoint that returns a `UserProfile` JSON
+ * payload. Use this when the host project has its own backend that
+ * wraps the package's Python helpers (or any equivalent).
+ *
+ * @example
+ * createHttpFetcher({ url: "/api/users/me/profile" })
+ */
+declare function createHttpFetcher(opts: {
+    url: string;
+    /** Forwarded as-is to `fetch`. Use this to attach auth headers. */
+    init?: RequestInit;
+    /** Override the global `fetch` if you're in a non-browser env. */
+    fetch?: typeof fetch;
+}): AuthRbacFetcher;
+
+export { Action, type AuthRbacClient, AuthRbacFetcher, type CanOptions, type AuthRbacClientOptions as ClientOptions, PermissionMap, ResourceDescriptor, ResourceRegistry, UserProfile, buildPermissionResolver, createHttpFetcher, createSupabaseFetcher, groupResources };

package/dist/index.d.ts

@@ -0,0 +1,90 @@
+import { c as ResourceRegistry, U as UserProfile, A as Action, d as PermissionMap, b as AuthRbacFetcher, a as ResourceDescriptor } from './types-BEc5SCIo.js';
+export { C as CompanyMembership, F as FrontendConfig, P as PermissionGrid, R as ResourceScope, e as RoleSummary } from './types-BEc5SCIo.js';
+
+/**
+ * Transport-agnostic client: turns an adopter-supplied
+ * `AuthRbacFetcher` into a permission resolver. The React provider
+ * wraps this; non-React consumers (Node scripts, edge functions)
+ * can use it directly.
+ */
+
+interface AuthRbacClientOptions {
+    fetcher: AuthRbacFetcher;
+    /**
+     * The host project's full resource list. Required so the resolver
+     * can look up a resource's scope without a DB round-trip per call.
+     * Re-using the same array the host syncs into the
+     * `auth_rbac_resources` table at boot keeps everything in lockstep.
+     */
+    resources: ResourceRegistry;
+}
+interface CanOptions {
+    /**
+     * Override the active company. Omit to use the company the
+     * caller has currently activated (the React provider tracks
+     * this; for direct client use you must pass it).
+     */
+    companyId?: string | null;
+}
+/**
+ * Pure resolver. Given a hydrated profile it answers boolean
+ * questions instantly — no I/O. The `resourceMap` is built once at
+ * construction so per-call work is two map lookups.
+ */
+declare function buildPermissionResolver(resources: ResourceRegistry, profile: UserProfile, defaultCompanyId: string | null): {
+    can: (resource: string, action: Action, options?: CanOptions) => boolean;
+    /** Permission map for the active (or specified) company. */
+    activePermissions: (companyId?: string | null) => PermissionMap;
+    systemPermissions: () => PermissionMap;
+};
+/**
+ * Helper: groups a resource registry by `group` for the matrix UI.
+ * Returns groups in insertion order with their resources.
+ */
+declare function groupResources(registry: ResourceRegistry): Array<{
+    group: string;
+    resources: ResourceDescriptor[];
+}>;
+type AuthRbacClient = ReturnType<typeof buildPermissionResolver>;
+
+/**
+ * Built-in fetchers — adopters can use these or pass their own
+ * implementation of `AuthRbacFetcher`.
+ */
+
+/**
+ * Calls the package's SQL function `auth_rbac_user_profile(uuid)` via
+ * a Supabase JS client. Easiest path when the host project already
+ * uses Supabase.
+ *
+ * @example
+ * createSupabaseFetcher({ supabase, userId: session.user.id })
+ */
+declare function createSupabaseFetcher(opts: {
+    supabase: {
+        rpc: (fn: string, args: Record<string, unknown>) => Promise<{
+            data: unknown;
+            error: {
+                message: string;
+            } | null;
+        }>;
+    };
+    userId: string;
+}): AuthRbacFetcher;
+/**
+ * Calls a regular HTTP endpoint that returns a `UserProfile` JSON
+ * payload. Use this when the host project has its own backend that
+ * wraps the package's Python helpers (or any equivalent).
+ *
+ * @example
+ * createHttpFetcher({ url: "/api/users/me/profile" })
+ */
+declare function createHttpFetcher(opts: {
+    url: string;
+    /** Forwarded as-is to `fetch`. Use this to attach auth headers. */
+    init?: RequestInit;
+    /** Override the global `fetch` if you're in a non-browser env. */
+    fetch?: typeof fetch;
+}): AuthRbacFetcher;
+
+export { Action, type AuthRbacClient, AuthRbacFetcher, type CanOptions, type AuthRbacClientOptions as ClientOptions, PermissionMap, ResourceDescriptor, ResourceRegistry, UserProfile, buildPermissionResolver, createHttpFetcher, createSupabaseFetcher, groupResources };

package/dist/index.js

@@ -0,0 +1,15 @@
+import {
+  createHttpFetcher,
+  createSupabaseFetcher
+} from "./chunk-BRCJUCDG.js";
+import {
+  buildPermissionResolver,
+  groupResources
+} from "./chunk-4WTV6J44.js";
+export {
+  buildPermissionResolver,
+  createHttpFetcher,
+  createSupabaseFetcher,
+  groupResources
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}